On the subject of NTA's that should be there - Should there be text describing auto-adding of NTA's based on important domains (for the ISP/resolver's definition of important)? So that domains that are used by low level services don't fail that also aren't normally visible to end users? One example is nist.gov. When nist.gov messed up and went DNSSEC BOGUS, time.nist.gov was unreachable by validating resolvers. Unless the log files were detailed, a user may not know what is going on or that NTP is having issues.
This could be a monitor, or a pre-loaded NTA for certain domains. Not crazy about the pre-loaded idea, but it would avoid a period of scrambling. Scott On Oct 29, 2014, at 5:11 PM, Warren Kumari <[email protected]> wrote: > Over on the BIND-Users list there is currently a discussion of > fema.net (one the "Federal Emergency Management Agency" domains) > being DNSSEC borked > (https://lists.isc.org/pipermail/bind-users/2014-October/094142.html) > > This is an example of the sort of issues that an NTA could address -- > I'd like to note that currently neither Google Public DNS (8.8.8.8) > nor Comcast (75.75.75.75) have put in an NTA for it, but if it were > fema.gov, and this were during some sort of national disaster in the > US, things might be different... > W > =================================== Scott Rose NIST [email protected] +1 301-975-8439 Google Voice: +1 571-249-3671 http://www.dnsops.gov/ =================================== _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
